1) The same MAC address appears in different switch ports, however port-security feature is disabled on both ports.
When the port-security feature is disabled, MAC address can show up on the one switch port, then can be moved to another one and so on. Every time a new frame arrived on the switch port, CAM table is updated:
SW1#debug ip icmp
ICMP packet debugging is on
SW1#
*Mar 1 00:37:13.148: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/1
SW1#
*Mar 1 00:37:40.444: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/2
SW1#
*Mar 1 00:37:55.737: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/1
We see, that first MAC address 0007.50fc.5880 was learned via Gi2/0/1, after switch received ping on the second port, Gi2/0/2, CAM table was updated. Finally another ping came again on Gi2/0/1, so again, CAM table was updated. This is a normal behavior. If you think, that after learning MAC address on one port, a switch is unable to learn the same MAC address on the second port, you are wrong, if you were right, for example Spanning Tree Protocols would be useless.
2) CAM table has static entry for a particular MAC address, next this address appears on different port. Port-security is disabled.
When a switch has a static entry for a particular MAC address, and this MAC address appears on the different port, CAM table is not updated. Thus, when the switch receives frames on the second port and try to send reply, the switch will use static (wrong!) entry from CAM table.
For the rest of this post, I will use 2 ports on my switch, Gi2/0/3 and Gi2/0/4.
3) Gi2/0/3 with port-security but without sticky learning, Gi2/0/4 without port-security
When Gi2/0/3 has port-security enabled, and Gi2/0/4 has port-security disabled, running-configuration is very simple:
SW1#show running-config interface gi2/0/3
!
interface GigabitEthernet2/0/3
switchport mode access
switchport port-security
spanning-tree portfast
end
SW1#show running-config interface gi2/0/4
!
!
interface GigabitEthernet2/0/4
switchport mode access
spanning-tree portfast
end
With this settings, the same MAC address can first appear on Gi2/0/3, next on Gi2/0/4 and finally again on Gi2/0/3. Every time CAM table is updated and no violation occurred.
4) Gi2/0/3 and Gi2/0/4 have the same configuration, with port-security enabled, but without sticky learning.
Here results are the same as before. CAM table is updated, no violation occurred.
5)Gi2/0/3 has port-security enabled with sticky learning, Gi2/0/4 has port-security disabled
Here there is a new line in the running-configuration: switchport port-security mac-address sticky 0007.50fc.5880 vlan access. Interestingly, when this MAC address appears on the second port, the running-configuration is not change, however CAM is updated (remember, that Gi2/0/4 has port-security disabled). In addition to this, pings work to two ports (Gi2/0/3 and Gi2/0/4) and also no violation occurred:
SW1#show run int gi2/0/3
!
interface GigabitEthernet2/0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0007.50fc.5880 vlan access
spanning-tree portfast
end
SW1#show run int gi2/0/4
!
interface GigabitEthernet2/0/4
switchport mode access
spanning-tree portfast
end
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/4
6) Gi2/0/3 has port-security enabled and sticky learning, Gi2/0/4 has only port-security, without sticky learning:
Here, as soon as MAC address 0007.50fc.5880 appears on the second interface with port-security enabled, the second interface goes down into err-disable state:
SW1#
*Mar 1 00:36:04.436: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:36:05.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/3, changed state to down
SW1#
*Mar 1 00:36:06.374: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
SW1#
*Mar 1 00:36:06.441: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/3, changed state to down
SW1#
*Mar 1 00:36:08.362: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/4, changed state to up
*Mar 1 00:36:08.983: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/4, putting Gi2/0/4 in err-disable state
*Mar 1 00:36:08.983: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0007.50fc.5880 on port GigabitEthernet2/0/4.
SW1#
*Mar 1 00:36:08.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
SW1#show port-security interface gi2/0/3
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0007.50fc.5880:1
Security Violation Count : 0
SW1#show port-security interface gi2/0/4
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0007.50fc.5880:1
Security Violation Count : 1
So it is clear, that ping doesn't work. However when we switch the cable back into Gi2/0/3, CAM is updated again, and pings that are coming to Gi2/0/3 are accepted.
7) Both ports are configured with port-security and sticky MAC address learning
The same as the 6th case.
To sum up:
yes= the same MAC address is accepted on two different switch ports,
no= the same MAC address is not accepted on two different switch ports:
1st interface - port-security - sticky learning | 1st interface + port-security - sticky learning | 1st interface + port-security + sticky learning | |
2nd interface - port-security - sticky learning | yes | yes | yes |
2nd interface + port-security - sticky learning | yes | yes | no |
2nd interface + port-security + sticky learning | yes | no | no |
No comments:
Post a Comment